{"id":28166404,"url":"https://github.com/mrboombastic/webauthn2go","last_synced_at":"2025-10-12T22:39:25.866Z","repository":{"id":292202500,"uuid":"969805112","full_name":"MrBoombastic/WebAuthn2Go","owner":"MrBoombastic","description":"A work-in-progress Go library designed to simplify the server-side implementation of the WebAuthn (FIDO2) protocol for passwordless authentication.","archived":false,"fork":false,"pushed_at":"2025-09-22T22:17:34.000Z","size":2492,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-23T00:18:44.210Z","etag":null,"topics":["2fa","auth","authentication","go","mfa","passkey","passkeys","webauthn"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MrBoombastic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-21T00:46:11.000Z","updated_at":"2025-09-22T22:13:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"8fe60d0e-5a29-45d4-91ee-17ab6f6a432e","html_url":"https://github.com/MrBoombastic/WebAuthn2Go","commit_stats":null,"previous_names":["mrboombastic/webauthn2go"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/MrBoombastic/WebAuthn2Go","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrBoombastic%2FWebAuthn2Go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrBoombastic%2FWebAuthn2Go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrBoombastic%2FWebAuthn2Go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrBoombastic%2FWebAuthn2Go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MrBoombastic","download_url":"https://codeload.github.com/MrBoombastic/WebAuthn2Go/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrBoombastic%2FWebAuthn2Go/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279013279,"owners_count":26085250,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-12T02:00:06.719Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","auth","authentication","go","mfa","passkey","passkeys","webauthn"],"created_at":"2025-05-15T13:12:13.648Z","updated_at":"2025-10-12T22:39:25.861Z","avatar_url":"https://github.com/MrBoombastic.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WebAuthn2Go - Go WebAuthn Server Library\n\n![docs/hero.png](docs/hero.png)\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/MrBoombastic/WebAuthn2Go.svg)](https://pkg.go.dev/github.com/MrBoombastic/WebAuthn2Go)\n\nA Go library designed to simplify the server-side implementation of the WebAuthn (FIDO2) protocol for passwordless\nauthentication.\n\n## Features\n\n* **WebAuthn Server Logic:** Handles core server-side registration and authentication ceremonies.\n* **Attestation Support:**\n    * Accepts `none`, `indirect`, and `packed` attestation formats.\n        * Currently, **skips cryptographic verification** of attestation statements (`AttStmt`), focusing on extracting\n          authenticator data (`AuthData`) including AAGUID and Public Key.\n* **Assertion Verification:** Validates login assertions including challenge, origin, RP ID, user presence/verification\n  flags, and signature.\n* **Sign Count Protection:** Checks for increasing sign counts to help prevent replay attacks (requires secure storage\n  by the caller).\n* **AAGUID Lookup:** Provides a utility to look up authenticator names based on AAGUID.\n* **Extensions Support:** Basic support for WebAuthn extensions.\n* **Configuration:** Simple configuration for Relying Party details.\n\n## Why this library?\n\nThis library is designed to be easy to use and integrate into existing Go applications. You don't need to especially\nimplement custom interfaces or convert your Fiber's `fasthttp.Request` into `http.Request`, like\nin https://github.com/go-webauthn/webauthn. There are no other alternatives, except\nthe https://github.com/egregors/passkey, which is a wrapper around the first one, which additionally can set cookies for\nyou.\n\nIf you want more flexibility or control, and you don't need fancy features - this is the library for You.\n\n## Why NOT this library?\n\nThis library is not intended to be a full-fledged WebAuthn implementation. It does not handle attestation verification,\nfor example. This library is also in early development, so may be not suitable for production use yet.\n\nThe library is also not popular. It's possible that this repo has more or less zero stars and has never been reviewed or\nused by the third party. So, if you are looking for a battle-tested library, this is not the one.\n\nOne more thing - **the code is written with the partial help of AI**. Although the author tried his best to understand\nWebAuthn\nspecification and read various sources, the code may be far from perfect or even insecure. Every line of code has been\nread and verified by myself. It wasn't just *do webauthn lib wololo* in ChatGPT. But still, please use it at your own\nrisk.\n\nUsed sources:\n\n- https://www.corbado.com/glossary/attestation and other glossary entries - readable, but sometimes too simple\n- https://webauthn.guide/ - general overview\n- https://www.w3.org/TR/webauthn/ - THE specification\n\n\u003e [!WARNING]\n\u003e This library supports only Go 1.24 and above.\n\n## Example\n\nThere is a simple example in the [example](./example) folder.\nIt uses the `github.com/gofiber/fiber/v2` web framework, but you can use whatever you want.\n\n## Installation\n\n```bash\ngo get github.com/MrBoombastic/WebAuthn2Go\n```\n\n## Configuration\n\nBefore using the library, you need to configure your Relying Party (RP) details and other minor settings.\n\n```go\nw, err := webauthn.New(\u0026webauthn.Config{\n    RPID:             \"localhost\",                       // Domain name only - must match the domain in your URL\n    RPDisplayName:    \"WebAuthn2Go Example\",             // Display name\n    RPOrigins:        []string{\"https://yourdomain.com\", \"https://auth.yourdomain.com\"}, // Allowed origins - with protocol and port\n    Timeout:          300_000,                           // Milliseconds, 5 minutes\n    UserVerification: webauthn.UVPreferred,              // User verification requirement\n    Attestation:      webauthn.AttestationIndirect,      // Attestation preference, Indirect gives us AAGUID\n    Debug:            true,                              // Enable debug logging\n})\n\nw, err := webauthn.New(rpConfig)\nif err != nil {\n  // Handle configuration error (e.g., missing RPID/Origins)\n  log.Fatalf(\"Failed to initialize WebAuthn: %v\", err)\n}\n```\n\n\u003e [!IMPORTANT]\n\u003e * `RPID` **must** be the effective domain of your web application. Browsers enforce this strictly.\n\u003e * `RPOrigins` **must** include all origins (scheme + host + port if non-default) from which WebAuthn requests will\n    originate. Mismatched origins will cause browser errors.\n\n## Usage Overview\n\nThe library provides functions to handle the two main WebAuthn ceremonies: Registration (`Create`) and Authentication (\n`Get`).\n\nPlease refer to the [example](./example) folder for a complete example (with SQLite3 support) of how to use the library.\nThe key methods are BeginRegistration, FinishRegistration, BeginLogin, and FinishLogin. You will have to provide\nrequired data and save returned data manually by yourself.\n\n### Key Caller Responsibilities:\n\n* **User Management:** Maintain your user database.\n* **Credential Storage:** Securely store the `CredentialID`, `PublicKey`, `AAGUID`, and `SignCount` associated with each\n  user after successful registration.\n* **Challenge Storage:** Securely store the challenge used for registration and authentication.\n\n## AAGUID Lookup subpackage\n\nThe library includes a subpackage for AAGUID lookup. You are welcome to use it in your own projects. Go to\n[example_aaguid](./example_aaguid) for more.\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"github.com/MrBoombastic/WebAuthn2Go/aaguid\"\n\t\"github.com/google/uuid\"\n)\n\nfunc main() {\n\tfmt.Println(aaguid.LookupAuthenticatorUUID(uuid.MustParse(\"ed042a3a-4b22-4455-bb69-a267b652ae7e\")))\n\t// Security Key NFC - Enterprise Edition (USB-A, USB-C) (Black) FW 5.7\n}\n```\n\n## Dependencies\n\n* `github.com/google/uuid` additional library used for AAGUID subpackage\n* `github.com/go-webauthn/webauthn/protocol/webauthncbor` for CBOR decoding.\n* `github.com/go-webauthn/webauthn/protocol/webauthncose` for parsing COSE public keys.\n\nThat may sound weird, that alternative to go-webauthn/webauthn uses that library, but actually there is no other choice\nif you want to support more than just ES256 algorithm. I'm also assuming that outsourcing \"the hard stuff\" to more\npopular libraries is a safer choice.\n\n## Security Considerations\n\n* **Challenge Management:** Ensure challenges are unique per operation, securely stored server-side (e.g., in\n  authenticated sessions), and used only once.\n* **Credential Storage:** Store public keys and especially sign counts securely. Compromise of the sign count storage\n  negates replay protection.\n* **Origin/RP ID Configuration:** Incorrect `RPID` or `RPOrigins` configuration will break functionality and is a\n  security boundary.\n* **Attestation Verification:** This library currently **does not** perform cryptographic verification of attestation\n  statements for `indirect` or `packed` formats.\n  It only parses the authenticator data.\n  If you require stricter\n  verification of authenticator provenance, you would need to implement the specific verification logic for those\n  formats.\n\n## Contributing\n\nContributions are welcome! Please feel free to submit pull requests or open issues.\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrboombastic%2Fwebauthn2go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrboombastic%2Fwebauthn2go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrboombastic%2Fwebauthn2go/lists"}